storkit: accept 359_story_harden_docker_setup_for_security
This commit is contained in:
Dave
@@ -1,28 +0,0 @@
|
||||
---
|
||||
name: "Harden Docker setup for security"
|
||||
retry_count: 3
|
||||
blocked: true
|
||||
---
|
||||
|
||||
# Story 359: Harden Docker setup for security
|
||||
|
||||
## User Story
|
||||
|
||||
As a storkit operator, I want the Docker container to run with hardened security settings, so that a compromised agent or malicious codebase cannot escape the container or affect the host.
|
||||
|
||||
## Acceptance Criteria
|
||||
|
||||
- [ ] Container runs as a non-root user
|
||||
- [ ] Root filesystem is read-only with only necessary paths writable (e.g. /tmp, cargo cache, claude state volumes)
|
||||
- [ ] Linux capabilities dropped to minimum required (cap_drop: ALL, add back only what's needed)
|
||||
- [ ] no-new-privileges flag is set
|
||||
- [ ] Resource limits (CPU and memory) are configured in docker-compose.yml
|
||||
- [ ] Outbound network access is restricted where possible
|
||||
- [ ] ANTHROPIC_API_KEY is passed via Docker secrets or .env file, not hardcoded in compose
|
||||
- [ ] Image passes a CVE scan with no critical vulnerabilities
|
||||
- [ ] Port binding uses 127.0.0.1 instead of 0.0.0.0 (e.g. "127.0.0.1:3001:3001") so the web UI is not exposed on all interfaces
|
||||
- [ ] Git identity is configured via explicit GIT_USER_NAME and GIT_USER_EMAIL env vars; container fails loudly on startup if either is missing (note: multi-user/distributed case where different users need different identities is out of scope and will require a different solution)
|
||||
|
||||
## Out of Scope
|
||||
|
||||
- TBD
|
||||
Reference in New Issue
Block a user